U.S. Rep. Andrew Garbarino (R-NY) introduced a resolution in the House this week to overturn the Securities and Exchange Commission’s (SEC) cyber disclosure rule.
The SEC adopted the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule on July 26, requiring companies to publicly disclose and describe any material cybersecurity incident. Companies are required to make this disclosure four business days after it has been identified and describe its processes for identifying and managing risks from cybersecurity threats.
Garbarino said the SEC’s cybersecurity disclosures are in direct conflict with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which is being implemented by the Cybersecurity and Infrastructure Security Agency (CISA). CIRCIA requires CISA to issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity believes it occurred. CIRCIA also established the Cyber Incident Reporting Council at the Department of Homeland Security (DHS) to coordinate federal incident reporting requirements. Ultimately, by giving CISA and DHS these directives, Congress solidified its intent that CISA is the lead Federal agency for cybersecurity.
“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” said Garbarino, chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee. “CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Congress has been clear in its intent to harmonize federal incident reporting requirements, a position that the Biden Administration has emphasized as well. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland. This CRA resolution will reinforce the congressional intent of CIRCIA and ensure that the SEC rule no longer poses a danger to our homeland.”
He added that while greater transparency around cybersecurity can increase resilience, public disclosure of ongoing incidents risks opening registrants up to further attacks. Further, he said that publicly reporting even the existence of a material incident before it is remediated would achieve the same effect as disclosing a vulnerability before there is a patch. This would only lead to attackers flocking to exploit the vulnerability for themselves.
U.S. Sen. Thom Tillis (R-NC) introduced a companion resolution in the Senate.
“As we have continuously seen, Gary Gensler’s SEC is doing their best to hurt market participants by overregulating firms into oblivion,” Tillis said. “I am proud to co-introduce the Resolution of Disapproval to strike down this overreaching rule that creates unrealistic timelines and unnecessary red tape that will ultimately make markets less safe overall.”
The Bank Policy Institute, U.S. Chamber of Commerce, and the American Bankers Association all support the resolution.